This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 7.10:
ktorrent 2.2.1-0ubuntu3.1

Ubuntu 8.04 LTS:
ktorrent 2.2.5-0ubuntu1.1

Ubuntu 8.10:
ktorrent 3.1.2+dfsg.1-0ubuntu2.1

After a standard system upgrade you need to restart KTorrent to effect
the necessary changes.

Details follow:

It was discovered that KTorrent did not properly restrict access when using the
web interface plugin. A remote attacker could use a crafted http request and
upload arbitrary torrent files to trigger the start of downloads and seeding.
(CVE-2008-5905)

It was discovered that KTorrent did not properly handle certain parameters when
using the web interface plugin. A remote attacker could use crafted http
requests to execute arbitrary PHP code. (CVE-2008-5906)

Summary
======
There is an HTML Injection vulnerability in WebLogic Server 10
Administration Console that allows the attacker to gain administrative
access to the server. It is possible to craft such URL that will, when
requested from the server, return a document with arbitrarily chosen HTML
injected. An obvious use for this type of vulnerability is cross- site
scripting that can be used, among other things, for obtaining session
cookies from WebLogic administrators. These cookies, when stolen, provide
the attacker with administrative access to WebLogic Administration
Console, compromising the security of the entire web server.

This vulnerability is exploitable even if the Administration Console is
only being accessed via HTTPS, and even if the Administrative Port is
enabled.

Product Coverage
===============
- WebLogic Server 10.0

Note: Our tests were only performed on the above product version. Other
versions may or may not be affected.

Analysis
=======
Some URL argument in the WebLogic Server 10 Administration Console is
not properly sanitized against HTML injection, which allows the attacker
to introduce additional, malicious HTML to the server's response. The
most common type of HTML injection is injection of malicious client-side
script, commonly known as cross-site scripting.

In an actual attack the user would not be required to open URLs specified
by the attacker. Instead, a malicious web page visited by the logged-in
WebLogic administrator would mount the entire attack automatically and
covertly. For instance, a tiny 0x0 pixel iframe could be used for loading
the URL from the demonstration immediately upon administrator's visit to
the malicious page, injecting the malicious script to the WebLogic
server's response. This malicious script would then silently send these
cookies to the attacker's server, where she could pick them up and use
them for entering the administrator's session in the Administration
Console.

Mitigating Factors
=================
- In order to execute the above attack, the attacker would need to make
the administrator's browser visit a malicious web page while the
administrator is logged into the Administration Console. This can be
achieved using social engineering, network traffic modification or a
combination of both.

- If the attacker manages to obtain a valid ADMINCONSOLESESSION cookie
(and optionally _WL_AUTHCOOKIE_ADMINCONSOLESESSION cookie), these will
only be useful until the administrator logs out of the Administration
Console. However, the attacker knowing that might rush to create a new
administrative user in the console and use that user for WebLogic
administration after the legitimate administrator has logged off.

Solution
=======
ORACLE has issued a security bulletin [1] and published a patch which
fixes this issue.

Workaround
=========
- WebLogic administrators can be trained not to browse other web pages
while logged in to the Administration Console. However, since some
hyperlinks in the console point to servers on the Internet (e.g., http://support.bea.com) the attacker could watch the administrator's
Internet traffic and detect such requests as a strong sign that the
administrator is currently logged in to the Administration Console. She
would then slightly modify the Internet server's response so as to include
the malicious code. Such an attack could only be mounted by attackers
capable of monitoring and modifying the administrator's Internet traffic
(most likely an ISP or someone who broke into an ISP).

- The WebLogic Administration Console can be disabled, which would
neutralize this vulnerability.

Disclaimer
=========
The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Jan Minar discovered that Vim did not properly sanitize inputs before invoking
the execute or system functions inside Vim scripts. If a user were tricked
into running Vim scripts with a specially crafted input, an attacker could
execute arbitrary code with the privileges of the user invoking the program.
(CVE-2008-2712)

Ben Schmidt discovered that Vim did not properly escape characters when
performing keyword or tag lookups. If a user were tricked into running specially
crafted commands, an attacker could execute arbitrary code with the privileges
of the user invoking the program. (CVE-2008-4101)

Multiple vulnerabilities have been discovered in OpenX, which can be
exploited by malicious people to conduct cross-site scripting,
cross-site request forgery, and file inclusion attacks and by
malicious users to conduct script insertion and SQL injection attacks.

1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.

2) Input passed to the "orderdirection" and "listorder" parameters in
"www/admin/userlog-index.php" and "www/admin/stats.php" is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in the context of an affected site.

3) Input passed to the "origPublisherId" parameter in
"www/admin/userlog-index.php" is not properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in the context of an
affected site.

4) Input passed to "setPerPage", "day", "period_end", "period_start",
and "statsBreakdown" parameters in "www/admin/stats.php" is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in the context of an affected site.

5) Input passed to the "campaignid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/banner-acl.php",
"www/admin/campaign-zone.php", and "www/admin/campaign-banners.php"
is not properly sanitised before being returned to the user. This can
be exploited to execute arbitrary HTML and script code in a user's
browser session in the context of an affected site.

6) Input passed to the "bannerid" parameter in "www/admin/banner-
acl.php" is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a
user's browser session in the context of an affected site.

7) Input passed to the "affiliateid" parameter in "www/admin/zone-
probability.php", "www/admin/zone-invocation.php",
"www/admin/affiliate-zones.php", and "www/admin/zone-include.php" is
not properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in the context of an affected site.

8) Input passed to the "zoneid" parameter in "www/admin/zone-
probability.php", "www/admin/zone-invocation.php", and
"www/admin/zone-include.php" is not properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in the context of an
affected site.

9) Input passed to the "userid" parameter in "www/admin/admin-
user.php" is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in the context of an affected site.

10) Input passed to the "thirdpartytrack" parameter in
"www/admin/admin-generate.php" is not properly sanitised before being
returned to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in the context of an
affected site.

11) Input passed to the "agencyid" parameter in "www/admin/agency-
edit.php" is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in the context of an affected site.

12) Input passed to the "codetype" parameter in "www/admin/affiliate-
preview.php" is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script code
in a user's browser session in the context of an affected site.

13) The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the
requests. This can be exploited to e.g. perform script insertion
attacks via the "timezone" parameter in www/admin/account-
preferences-timezone.php by tricking the user into visiting a
malicious web site.

14) Input passed to the "name" and "description" parameters in
"www/admin/channel-edit.php" is not properly sanitised before being
used. This can be exploited to insert arbitrary HTML and script code,
which is executed in a user's browser session in the context of an
affected site when the malicious entry is viewed.

15) Input passed to the "campaignid" parameter in "www/admin/banner-
acl.php", "www/admin/campaign-edit.php", and "www/admin/banner-
edit.php" is not properly sanitised before being used in SQL queries.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

16) Input passed to the "bannerid" parameter in "www/admin/banner-
acl.php" is not properly sanitised before being used in SQL queries.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

17) Input passed to the "listorder" parameter in "www/admin/userlog-
index.php" is not properly sanitised before being used in SQL
queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

18) Input passed to the "affiliateid" parameter in "www/admin/zone-
probability.php", "www/admin/channel-edit.php", "www/admin/zone-
invocation.php", and "www/admin/zone-include.php" is not properly
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

19) Input passed to the "clientid" parameter in "www/admin/campaign-
banners.php" is not properly sanitised before being used in SQL
queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

20) Input passed to the "zoneid" parameter in "www/admin/zone-
delete.php" and "www/admin/zone-include.php" is not properly
sanitised before being used in SQL queries. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.

21) Input passed to the "channelid" parameter in "www/admin/channel-
acl.php" is not properly sanitised before being used in SQL queries.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

22) Input passed to the "MAX_type" parameter in "www/delivery/fc.php"
and to the "lang" parameter in "www/admin/numberFormat.js.php" is not
properly verified before being used to include files. This can be
exploited to include arbitrary files from local resources via
directory traversal attacks.

=====================================================================6) Time Table

20/01/2009 - Vendor notified (requested security contact).
20/01/2009 - Vendor informs that request has been passed on to
engineering team.
26/01/2009 - Third party publicly reports some of the vulnerabilities.
27/01/2009 - Public disclosure.

Summary: Multiple security risks exist in Apache Tomcat as
included with CA Cohesion Application Configuration Manager. CA
has issued an update to address the vulnerabilities. Refer to the
References section for the full list of resolved issues by CVE
identifier.

1. Using Windows Explorer, locate the file "RELEASE-NOTES".
2. By default, the file is located in the
"C:\Program Files\CA\Cohesion\Server\server\" directory.
3. Open the file with a text editor.
4. If the version is less than 5.5.25, the installation is
vulnerable.

Introduction:
-------------
The vulnerability found targets the SAP NetWeaver portal. It is
possible to execute JavaScript code in the browser of a valid user
when clicking on a specially crafted URL which can be sent to the
user by email.
This vulnerability can be used to steal the user's session cookie or
redirect him to a phishing website which shows the (faked) login
screen and gets his logon credentials as soon as he tries to log in
on the faked site.

Description:
------------
A specially crafted URL in SAP NetWeaver allows an attacker to
launch a Cross-Site Scripting attack. The resulting page contains
only the unfiltered value of the vulnerable parameter. It is possible
to create an URL which causes the resulting page to contain malicious
JavaScript code. A response to such a request could look like the
following example:

The code only gets executed in Microsoft Internet Explorer (tested
with version 7.0.5730 only). In Firefox (tested with version 3.0
only) it did not get executed as the content-type header of the
server response is interpreted more strictly (text/plain).

SAP Information Policy:
-----------------------
The information is available to registered SAP clients only (SAP
Security Notes).

Patches:
--------
Apply the latest SAP security patches for Netweaver. For more detailed
patch information, see SAP notification number 1235253.

Summary: The CA Anti-Virus engine contains multiple
vulnerabilities that can allow a remote attacker to evade
detection by the Anti-Virus engine by creating a malformed archive
file in one of several common file archive formats. CA has
released a new Anti-Virus engine to address the vulnerabilities.
The vulnerabilities, CVE-2009-0042, are due to improper handling
of malformed archive files by the Anti-Virus engine. A remote
attacker can create a malformed archive file that potentially
contains malware and evade anti-virus detection.

Note: After files have been extracted from an archive, the desktop
Anti-Virus engine is able to scan all files for malware.
Consequently, detection evasion can be a concern for gateway
anti-virus software if archives are not scanned, but the risk is
effectively mitigated by the desktop anti-virus engine.

Status and Recommendation:
CA released arclib 7.3.0.15 in September 2008. If your product is
configured for automatic updates, you should already be protected,
and you need to take no action. If your product is not configured
for automatic updates, then you simply need to run the update
utility included with your product.

How to determine if you are affected:

For products on Windows:

1. Using Windows Explorer, locate the file "arclib.dll". By
default, the file is located in the
"C:\Program Files\CA\SharedComponents\ScanEngine" directory (*).
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated below, the
installation is vulnerable.

File Name File Version
arclib.dll 7.3.0.15

*For eTrust Intrusion Detection 2.0 the file is located in
"Program Files\eTrust\Intrusion Detection\Common", and for eTrust
Intrusion Detection 3.0 and 3.0 sp1, the file is located in
"Program Files\CA\Intrusion Detection\Common".

For CA Anti-Virus r8.1 on non-Windows platforms:

Use the compver utility provided on the CD to determine the
version of Arclib. If the version is less than 7.3.0.15, the
installation is vulnerable.

Data length values in metadata Audible Audio media file (.aa) can lead
to an integer overflow enabling remote attackers use it to trigger an
heap overflow and enabling the possibility to execute arbitrary code
(CVE-2009-0135).

After a standard system upgrade you need to restart any Java applications
to effect the necessary changes.

Details follow:

It was discovered that Java did not correctly handle untrusted applets.
If a user were tricked into running a malicious applet, a remote attacker
could gain user privileges, or list directory contents. (CVE-2008-5347,
CVE-2008-5350)

It was discovered that Kerberos authentication and RSA public key
processing were not correctly handled in Java. A remote attacker
could exploit these flaws to cause a denial of service. (CVE-2008-5348,
CVE-2008-5349)

It was discovered that Java accepted UTF-8 encodings that might be
handled incorrectly by certain applications. A remote attacker could
bypass string filters, possible leading to other exploits. (CVE-2008-5351)

Overflows were discovered in Java JAR processing. If a user or
automated system were tricked into processing a malicious JAR file,
a remote attacker could crash the application, leading to a denial of
service. (CVE-2008-5352, CVE-2008-5354)

It was discovered that Java calendar objects were not unserialized safely.
If a user or automated system were tricked into processing a specially
crafted calendar object, a remote attacker could execute arbitrary code
with user privileges. (CVE-2008-5353)

It was discovered that the Java image handling code could lead to memory
corruption. If a user or automated system were tricked into processing
a specially crafted image, a remote attacker could crash the application,
leading to a denial of service. (CVE-2008-5358, CVE-2008-5359)

It was discovered that temporary files created by Java had predictable
names. If a user or automated system were tricked into processing a
specially crafted JAR file, a remote attacker could overwrite sensitive
information. (CVE-2008-5360)